Re: Signing a message with S/MIME in Gnus?
On 2022-11-03, at 07:21, Angel de Vicente wrote: > So, I was actually thinking of going for the second option: use SMIME > when I send from the address in the certificate, and use PGP when > sending from this gmail address. But now I need to figure out how to > tell Gnus to do that. Right now I have the following, which makes sure > that by default I will be always signing with SMIME. Do you know if > there is an easy way to set these depending on the "From" address? > > , > | (add-hook 'gnus-message-setup-hook 'mml-secure-message-sign-smime) > | (setq mml-secure-method "smime") > ` This might be possible with Posting Styles if your e-mails with different senders are in different groups. See variable gnus-posting-styles and the info page to which it points. To me, the following part seems promising. Note that the body string could be a function call that produces a secure tag. ((posting-from-work-p) ;; A user defined function (signature-file "~/.work-signature") (address "u...@bar.foo") (body "You are fired.\n\nSincerely, your boss.") ("X-Message-SMTP-Method" "smtp smtp.example.org 587") (organization "Important Work, Inc")) Best wishes Jens
Re: Signing a message with S/MIME in Gnus?
On 2022-11-02, at 20:51, Angel de Vicente wrote: > [...] > But here is a question. To send messages to this group I use another > e-mail address (which is not present in any of the certificates). There > is no way for me, then, to sign messages to this group with S-MIME? There is. Before coming to that, please reconsider for what you ask: Alice sends a message to Bob, but the message is signed by Mallory. What is Bob supposed to do with this? IMO, the signature should really match the sender’s FROM address. Maybe you can ask your CA to include your other e-mail addresses as well? Or switch to GnuPG for your other e-mail addresses, where you are in control and not some CA (which Bob probably does neither know nor trust anyways)? See [1] for more information. Coming back to your question: You can customize mml-secure-smime-signers to include a list of IDs of signing keys. Best wishes Jens P.S. Google “protects” you from receiving my e-mails addressed to you directly as I spoof my FROM address here (SPF and DKIM both 550-5.7.26 do not pass). Thus, I remove your e-mail address in this reply. P.P.S. If you do not need direct replies, Gnus (Message, in fact) can set a Mail-Followup-To header [2]. [1] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/ [2] https://www.gnu.org/software/emacs/manual/html_mono/message.html#Composing-a-correct-MFT-header-automagically
Re: Signing a message with S/MIME in Gnus?
Hi there! On 2022-11-02, at 09:29, Angel de Vicente wrote: > Hello, > > anyone here familiar with Gnus + S/MIME + gnupg? Yes :) > [...] > But when I try to sign a message from Gnus I always get a message saying > "No sign key for ; skip it? (y or n)" I use this: (setq mml-secure-smime-sign-with-sender t) And more: https://gitlab.com/lechten/defaultencrypt > What do I have to configure in Emacs/Gnus so that it will know that my > e-mail address is linked to the same certificate used in the command > line? Your CA links your e-mail address to your public key, both of which are recorded inside the certificate. Gnus cannot do this. Your output did not show whether the certificate really contains the e-mail address that you used... Best wishes Jens
Re: autoselect GPG key for signing by group
On 2016-12-30, at 08:49, Hikaru Ichijyo wrote: > How would I setup my key selection to depend on what group I'm in? This might work: Keep the default (nil) for mml-secure-openpgp-sign-with-sender and set mml-secure-openpgp-signers via posting styles. Best wishes Jens P.S. Your From address is invalid. Thus, my first attempt to send the above failed. To help others answer your questions, you might want to add the header “Mail-Copies-To: never” to your messages. I’m using the piece of code for message-header-setup-hook described over there: https://www.gnu.org/software/emacs/manual/message.html ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: bug with mm-sign-option 'guided
On 2016-03-19, at 18:40, Frank Haun wrote: > Hi, > > this bug is still open. Someone able to fix it? > > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22751 Sorry, not me. If I’m not mistaken this is caused by Gcc handling, which creates a second message with a second signature. (Instead of creating a copy of the signed message.) Maybe you don’t need mm-sign-option, though. Which Emacs/25.1.50, which you are using, you can customize mml-secure-openpgp-sign-with-sender to use the from address for signing. In case of multiple keys for the from address, the code in 25.1.50 asks you which one to use and allows to customize that choice. Alternatively, there is mml-secure-openpgp-signers. Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: possible emacs 24.5 + Gnus problem when using pgpmime and signencrypt
On 2016-03-14, at 17:55, Nils Gillmann wrote: > So it looks like this problem occurs when I try to /signencrypt/ > and it works when I just ignore the fact that I can't sign. How do you specify the key for signing? Do you use a smart card? For me the following works out of the box with gpg-2.0.22 and Emacs 24.3.1 (both part of my distribution) as well as gpg-2.1.11 and Emacs 25.1.50. $ killall gpg-agent $ unset GPG_AGENT_INFO $ emacs -Q Starting Emacs with "-Q" inhibits loading your configuration, so if the following works you could start from there. In Emacs, compose a message with `C-x m', insert a To address to which to encrypt, some Subject, don’t worry about the From address. (I’ve got a default-key option in gpg.conf, which defines the signing key. Without that the first secret key in the keyring is used, I guess.) Evaluate the following (either insert the lines into the message body and press `C-x C-e' at the end of each line or enter each command after `M-:'). --8<---cut here---start->8--- (setq debug-on-error t) (setq epg-debug t) (setq epg-gpg-program "gpg2") --8<---cut here---end--->8--- So, customizing epg-gpg-program should be all you need. Then choose menu “Attachments->Sign and Encrypt Message”, which inserts the secure MML tag. Then choose “Attachments->Preview”, which performs the encryption and signing (hopefully): * A passphrase dialogue for the private signing key appears. Enter correct passphrase. * Then, a dialogue appears asking whether to decrypt. Answer no. The MIME preview buffer contains something like “[1. application/pgp-encrypted]”, while the encrypted bytes are in buffer " *mm*" or " *mm*-" (note the leading space in the name). In the buffer " *epg-debug*" (again with leading space), debug output for gpg is visible. If signature fails, maybe use this in gpg-agent.conf to create debug output in /tmp/gpg-agent.log: --8<---cut here---start->8--- verbose log-file /tmp/gpg-agent.log debug-all --8<---cut here---end--->8--- Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Trouble with GnuPG 2.1
On 2016-03-13, at 17:21, Nils Gillmann wrote: > Jens Lechtenboerger writes: > >> On 2016-03-13, at 16:16, Nils Gillmann wrote: >> >>> So I ran into this issue with gpg2.1 on emacs-24.5 and Gnus where >>> I can *de*crypt emails but I can't encrypt or sign. >> >> What exactly is the problem? >> >> You are using EasyPG, right? In your configuration, >> (setq epg-debug t) >> appeared in comments. What do you see in the debug buffer if you >> enable debugging? > > > Right, sorry I forgot that part. > Here's the debugger output with the NUL symbols striped: > > Debugger entered--Lisp error: (error "Process epg not running") > signal(error ("Process epg not running")) > byte-code("\203\302@!\210A\211\204\303 @ A\"\207" > [mml2015-epg-secret-key-id-list error password-cache-remove signal] 4) > mml2015-epg-encrypt((part (sign . "pgpmime") (encrypt . "pgpmime") > (tag-location . 281) (contents . "\nThis is a test reply to get an debug > result for Gnus\n\n-- \nng\npersonal contact: http://krosos.sdf.org\nEDN: > https://wiki.c3d2.de/Echt_Dezentrales_Netz/en\n";)) t) I’ve never seen this. What is your epg-gpg-program? Is gpg-agent running? If so is the correct version of gpg-agent running? Maybe kill gpg-agent first; it should be started automatically with gpg-2.1. If you set (setq epg-debug t) what does the buffer " *epg-debug*" contain? Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Trouble with GnuPG 2.1
On 2016-03-13, at 16:16, Nils Gillmann wrote: > So I ran into this issue with gpg2.1 on emacs-24.5 and Gnus where > I can *de*crypt emails but I can't encrypt or sign. What exactly is the problem? You are using EasyPG, right? In your configuration, (setq epg-debug t) appeared in comments. What do you see in the debug buffer if you enable debugging? Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Passphrase caching for GnuPG in Emacs?
On 2016-01-05, at 17:40, Teemu Likonen wrote: > Jens Lechtenboerger [2015-11-08 17:00:56+01] wrote: > >> I plan to refactor the code used for GnuPG in the Message mode of >> Emacs (Gnus) and started a discussion on the Gnus devel mailing list >> ding. An open issue is passphrase caching within Emacs, which might be >> removed in the future. > > I'd like to move pretty much all password caching outside Emacs so I'm > fine with such plans. Do your plans include mail-source-password-cache > too? No, I was just referring to GnuPG passphrases. > For example, in my system Gnus's mail-sources variable is set to fetch > mail from a server. The password is stored in ~/.authinfo.gpg but then > stored in mail-source-password-cache variable: > > (("server:login:nil" . "password")) > > I'd like to get rid of that too. I wasn’t aware of this, and I don’t like that either. Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Trust and public keys
On 2015-11-18, at 15:04, Uwe Brauer wrote: >> That came out wrong, then. Part of my problem would be to figure >> out the “real” e-mail address of “Ed Snowden”. If you registered >> the fresh e-mail address “ed.snow...@gmail.com” and uploaded a >> matching key to usual keyservers, then I might fall for that. No >> special attack skills required. > > Correct but this applies to smime and gpg. I’ll refer to this point below. > [...] >> For me as malicious CA (or intruder into a CA) there is no reason to >> steal the private key as I could generate a certificate with >> matching private key in your name for your e-mail address, which is >> “trusted”. Then I could send signed e-mails in your name. That >> alone might get you into trouble, but you might receive responses >> that alert you about some ongoing attack. If I was a powerful >> attacker, able to replace e-mails on the way, I could additionally >> re-encrypt (modified) responses to your real certificate (or drop >> messages entirely), and you would never know I was there. > >> If I cannot replace e-mails on the way, I can still send “trusted” >> signed e-mails in your name and tell the recipients to switch to >> different e-mail addresses with “trusted” certificates. Then, >> again, I can re-encrypt responses to your real certificate and >> e-mail address. > > But in all of these scenarios you need to hack the email account. It is > not sufficent just to use a linux smptmail server and manipulate the > form field. You also have to intercept the reply. No, please re-read the paragraph starting with: “If I cannot replace” > I don't see much of a difference between > > - the pgp scenario: to place a falsified pgp key on a server > > - the smime scenario: to crack a smime certificate by breaching a >CA (which is more difficult that placing a falsified pgp key). I agree to your above statement “Correct but this applies to smime and gpg.” Thus, I consider the following attacks to be comparable: Upload some OpenPGP key and register some S/MIME certificate. However, newbies are warned not to trust downloaded OpenPGP keys, while I’m not aware of similar warnings for “trusted” (signed) S/MIME certificates. > Again the question was is smime easier to use. No. The question was whether someone on this list uses S/MIME with OpenSSL and would object to a change of defaults to epg. The current topic is “Trust and public keys.” I changed that in response to your e-mail where you stated: “Keys signed by these authorities have to be trusted 100 \%.” The ensuing discussion helped me to see clearer: There are S/MIME certificates that have been issued without checks (except ability to receive e-mail), which I find ridiculous given the goal of certification. The situation is even worse than I thought initially. Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Trust and public keys
On 2015-11-15, at 21:07, Uwe Brauer wrote: > If I had to communicate something really secret say with Ed Snowden, I > would use of course use gpg[1] and not smime, , > then I would try somehow to compare the fingerprints of the keys by some > secure means (a secure chat). > > Now if you say that all the above scenarios are usually out of reach of > «normal» attackers, That came out wrong, then. Part of my problem would be to figure out the “real” e-mail address of “Ed Snowden”. If you registered the fresh e-mail address “ed.snow...@gmail.com” and uploaded a matching key to usual keyservers, then I might fall for that. No special attack skills required. I don’t know too much about CAs that issue e-mail certificates for free. However, based on your description of Comodo I guess that you could also obtain an S/MIME certificate in the above case (for ed.snow...@gmail.com after registering that address). So the “trust” built into S/MIME seems worthless. > When I apply for a certificate the private key is generated by the crypt > module of my browser. Are you suggesting that this is also hacked? That > indeed would be disastrous. Then indeed the intruder could obtain a copy > of my private key and sell it to some sinister organisation. For me as malicious CA (or intruder into a CA) there is no reason to steal the private key as I could generate a certificate with matching private key in your name for your e-mail address, which is “trusted”. Then I could send signed e-mails in your name. That alone might get you into trouble, but you might receive responses that alert you about some ongoing attack. If I was a powerful attacker, able to replace e-mails on the way, I could additionally re-encrypt (modified) responses to your real certificate (or drop messages entirely), and you would never know I was there. If I cannot replace e-mails on the way, I can still send “trusted” signed e-mails in your name and tell the recipients to switch to different e-mail addresses with “trusted” certificates. Then, again, I can re-encrypt responses to your real certificate and e-mail address. Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Trust and public keys (was: S/MIME with OpenSSL?)
On 2015-11-13, at 18:55, Uwe Brauer wrote: > - PGP creates a net of trust: there are key servers where you can >upload your public keys so that it can be signed by people you >trust. As a rule of the thumb: one should trust a public key if >its signed by somebody one trusts or if this is not the case, >trust a key which has a lot of signatures. The number of signatures does not tell much. Attackers can create as many as they like. >One should never just >use a public key which has been sent to him/her, since one cannot >trust it. That depends on the scenario. If I know your “real” e-mail address, it does not hurt if I use a public key for that e-mail address that I just “found” (e-mail, key server, homepage). If an attacker, say Mallory, created that key in your name, Mallory would need to intercept all e-mails encrypted under that forged key and replace them with e-mails encrypted to your real key (or plaintext ones) to go undetected. I don’t think that ordinary human beings need to care about attackers of such power. Of course, if they did care, all they would need to do is verify key fingerprints via some out-of-band channel. No signatures required, but admittedly beyond the reach of “illiterate” users. (Besides, attackers that are able to replace encrypted e-mails should also be able to create S/MIME certificates for other people’s e-mail addresses.) > - SMIME has a hierarchical model: there are a dozen or so >certificate authorities (CA) which can sign keys. The color map at [0] shows about 650 of them. >Keys signed by these authorities have to be trusted 100 \%. Do you realize what you just said? With CAs, the positive term “trust” is misused to hide something else. “Having to trust” just does not make sense. I don’t trust CAs, for good reasons. Trust has to be earned. PKIs fail with the weakest link, and there are too many examples of broken links [1, 2, 3, 4, 5]. >All software mail programs I listed are configured such >that public keys signed by these authorities are >trusted. Please, do not misuse the term “trust”. I wrote about that in some detail elsewhere [6]. Best wishes Jens [0] https://www.eff.org/files/colour_map_of_cas.pdf [1] http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html [2] https://blog.mozilla.org/security/2013/12/09/revoking-trust-in-one-anssi-certificate/ [3] https://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html [4] http://googleonlinesecurity.blogspot.de/2015/03/maintaining-digital-certificate-security.html [5] https://googleonlinesecurity.blogspot.com/2015/09/improved-digital-certificate-security.html [6] https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/ ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Passphrase caching for GnuPG in Emacs?
On 2015-11-11, at 09:15, Kevin Brubeck Unhammer wrote: > Can the pinentry-program setting be changed on-the-fly so I can say > "give me the gtk one" or "give me the curses one" depending on > (display-graphic-p) ? I don’t know about that. However, /usr/bin/pinentry-gtk-2 falls back to curses in a “real” terminal. I realize that I may have misunderstood tomás, and I’m also not sure about your use cases: In a “GUI terminal” (say, xterm), pinentry-gtk-2 pops up a window, whereas it uses that terminal if there is no GUI. Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: Passphrase caching for GnuPG in Emacs?
On 2015-11-09, at 09:45, to...@tuxteam.de wrote: > On Sun, Nov 08, 2015 at 05:00:56PM +0100, Jens Lechtenboerger wrote: >> Hi there, >> >> I plan to refactor the code used for GnuPG in the Message mode of >> Emacs [...] > >> If I’m not mistaken (please let me know if I’m wrong), with GnuPG >> 2.x (and gpgsm) passphrases cannot be cached within Emacs as >> gpg-agent is started automatically and tries to invoke a pinentry >> program. > > Just a question: how do you plan to handle this pinentry? Actually, that’s not me, but GnuPG. And I just realized that I’m mistaken, pinentry in Emacs is possible but not recommended, see below. > The last time I gave gpg 2 a try, a crude GTK dialog appeared from > nowhere (disrupting my command line workflow). I just ran away, > screaming. > > It seems there's a command-line pinentry these days. From Emacs, > my dream would be that it's Emacs which handles user interaction. What you describe is the default for GUIs, I guess. If I use the option pinentry-program /usr/local/bin/pinentry-curses in gpg-agent.conf and start Emacs within a terminal (option -nw), then the passphrase needs to be entered within the terminal window, whose contents get replaced by pinentry-curses while entering the passphrase. Would that be good enough for you? Moreover, as mentioned above there is Emacs support in pinentry, which can be enabled by configure options at compile time. From the pinentry info pages: “Having Emacs get the passphrase is convenient, however, it is a significant security risk. Emacs keeps all key presses buffered. (You can see the recent key presses by typing 'C-h l' ('view-lossage') in emacs.) Further, Emacs is a huge program, which doesn't provide any process isolation to speak of. As such, having it handle the passphrase adds a huge chunk of code to the user's trusted computing base. Because of this concern, Emacs doesn't enable this by default (the user has to run '(pinentry-start)', e.g., from his or her '.emacs' file, explicitly).” Out of curiosity: Are you customizing any of the 8 variables related to passphrase caching that I mentioned in my earlier message? Best wishes Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
S/MIME with OpenSSL?
Hi there, I plan to refactor the code used for GnuPG in the Message mode of Emacs (Gnus) and started a discussion on the Gnus devel mailing list ding. An open issue is the use of OpenSSL for S/MIME in Emacs, which might be removed in the future. So if you use S/MIME via OpenSSL, please let me know why. I recommend that you use gpgsm instead of openssl for S/MIME as: ** Gpgsm manages certificates (storage, expiry, revocation). Users need to perform those tasks manually with openssl. ** Openssl has bugs as documented in the BUGS section of man smime(1). In particular: SMIMECapabilities are ignored, no revocation checking is done on the signer's certificate. ** Advertised SMIMECapabilities include broken encryption algorithms. With the precompiled openssl 1.0.1f on my system RC2 is advertised, which should have been dropped since S/MIME 3.x, see: https://tools.ietf.org/html/rfc5751#appendix-B Currently, openssl is preferred over epg (gpgsm), via (defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl)) in mml-smime.el. However, epg does not get loaded on its own even if it is present. Thus, users need to set mml-smime-use or require epg in their ~/.emacs, but the manual does not mention gpgsm at all. I plan to change this to prefer epg by default (and to document and recommend gpgsm). What’s your opinion? Best wishes Jens P.S. I’d like to clarify that I recommend OpenPGP, not S/MIME. Still, S/MIME is better than plaintext. ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Passphrase caching for GnuPG in Emacs?
Hi there, I plan to refactor the code used for GnuPG in the Message mode of Emacs (Gnus) and started a discussion on the Gnus devel mailing list ding. An open issue is passphrase caching within Emacs, which might be removed in the future. So if you encrypt e-mail and cache passphrases inside Emacs (instead of gpg-agent), please let me know why. Also, do you think that it is necessary to have four different variables to enable caching and another four to control caching duration? (mml-secure-cache-passphrase, mml1991-cache-passphrase, mml2015-cache-passphrase, mml-smime-cache-passphrase; mml-secure-passphrase-cache-expiry, mml1991-passphrase-cache-expiry, mml2015-passphrase-cache-expiry, mml-smime-passphrase-cache-expiry) As gpg-agent is the daemon to manage secret keys, I recommend to use that as trusted place to cache passphrases, which works with GnuPG 1.x. as well as 2.x. Note that GnuPG 2.x is where the development happens, and according to GnuPG’s README, “2.0 is the current stable version for general use”, while “1.4 is the old standalone version which is most suitable for older or embedded platforms.” If I’m not mistaken (please let me know if I’m wrong), with GnuPG 2.x (and gpgsm) passphrases cannot be cached within Emacs as gpg-agent is started automatically and tries to invoke a pinentry program. So, caching-related variables only apply to GnuPG 1.x and S/MIME with openssl (I suggest not to advertise the latter any longer and will send a separate e-mail to discuss that), which should be documented if we plan to keep that functionality. What’s your opinion? Best wishes Jens P.S. Encryption is self-defense. Learn more: https://emailselfdefense.fsf.org/ ___ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
Re: GPG decryption with ngnus?
Lars Magne Ingebrigtsen <[EMAIL PROTECTED]> writes: > Jens Lechtenboerger <[EMAIL PROTECTED]> writes: > >> When reading encrypted e-mail, I get asked "Decrypt (PGP) part?" >> After pressing "y" and entering my passphrase, the *Article* buffer >> contains just header lines, but nothing else (no body, no >> plaintext). > > I think this may have just been fixed in CVS Gnus. No. This is what happened: In my gpg.conf "use-agent" was enabled, but there was no agent. So, gpg issues a warning that there is no Agent, decrypts and verifies everything just fine, and exits with status 2. Then, pgg assumes a failure (although the *pgg-gpg-debug* buffer contains success messages). I've got a different problem now. Sometimes I can't decrypt mail because pgg claims that my passphrase is incorrect. The *pgg-gpg-debug* buffer also has corresponding error messages. I'm pretty sure that I type in my passphrase correctly, though. The prompt appears over and over again, and I'm having difficulties escaping it. C-g doesn't help. (I'm typing an Umlaut then, which leads to "error in process filter: Attempt to change byte length of a string" and allows me to escape. Once, I even crashed Emacs with repeated Umlauts and C-g's... Is there a better escape sequence?) So for this only occurs with large (> 5.7 MB) encrypted attachments. Manual decryption with gpg works just fine. Any ideas? Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english
GPG decryption with ngnus?
Hi there, I'm trying emacs 21.4.2 with No Gnus v0.4 and GnuPG 1.4.2.2 on linux. When reading encrypted e-mail, I get asked "Decrypt (PGP) part?" After pressing "y" and entering my passphrase, the *Article* buffer contains just header lines, but nothing else (no body, no plaintext). Instead, in /tmp there appears a world-readable file "pgg-outputXYZ", which contains the plaintext. BTW when installing mailcrypt-3.5.8 and using mc-decrypt, I get the following: mc-decrypt-message: Found no encrypted message in this buffer. Any ideas how to display the plaintext in the article buffer? (And to avoid the file in /tmp...) Thanks in advance Jens ___ info-gnus-english mailing list info-gnus-english@gnu.org http://lists.gnu.org/mailman/listinfo/info-gnus-english